commit: e0e0415382f55c1c392facd407a21555b6b55c8c Author: Michał Górny <mgorny <AT> gentoo <DOT> org> AuthorDate: Fri Apr 5 17:13:34 2019 +0000 Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> CommitDate: Fri Apr 5 17:13:45 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0e04153
net-misc/aria2: Backport the fix for CVE-2019-3500 Backport fix for potential password leakage in logs (CVE-2019-3500). Ideally this would be a fresh snapshot but autoreconf fails on aria2 git. Bug: https://bugs.gentoo.org/674622 Signed-off-by: Michał Górny <mgorny <AT> gentoo.org> net-misc/aria2/aria2-1.34.0-r1.ebuild | 155 +++++++++++++++++++++ .../aria2/files/aria2-1.34.0-mask-headers.patch | 46 ++++++ 2 files changed, 201 insertions(+) diff --git a/net-misc/aria2/aria2-1.34.0-r1.ebuild b/net-misc/aria2/aria2-1.34.0-r1.ebuild new file mode 100644 index 00000000000..1522945364e --- /dev/null +++ b/net-misc/aria2/aria2-1.34.0-r1.ebuild @@ -0,0 +1,155 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" + +inherit bash-completion-r1 + +DESCRIPTION="A download utility with segmented downloading with BitTorrent support" +HOMEPAGE="https://aria2.github.io/"; +SRC_URI="https://github.com/aria2/${PN}/releases/download/release-${PV}/${P}.tar.xz"; + +LICENSE="GPL-2" +KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux" +SLOT="0" +IUSE="adns bittorrent +gnutls jemalloc libuv +libxml2 metalink +nettle nls sqlite scripts ssh ssl tcmalloc test xmlrpc" + +CDEPEND="sys-libs/zlib:0= + ssl? ( + app-misc/ca-certificates + gnutls? ( >=net-libs/gnutls-1.2.9:0= ) + !gnutls? ( dev-libs/openssl:0= ) ) + adns? ( >=net-dns/c-ares-1.5.0:0= ) + bittorrent? ( + ssl? ( + gnutls? ( + nettle? ( >=dev-libs/nettle-2.4:0=[gmp] >=dev-libs/gmp-6:0= ) + !nettle? ( >=dev-libs/libgcrypt-1.2.2:0= ) ) ) + !ssl? ( + nettle? ( >=dev-libs/nettle-2.4:0=[gmp] >=dev-libs/gmp-6:0= ) + !nettle? ( >=dev-libs/libgcrypt-1.2.2:0= ) ) ) + jemalloc? ( dev-libs/jemalloc ) + libuv? ( >=dev-libs/libuv-1.13:0= ) + metalink? ( + libxml2? ( >=dev-libs/libxml2-2.6.26:2= ) + !libxml2? ( dev-libs/expat:0= ) ) + sqlite? ( dev-db/sqlite:3= ) + ssh? ( net-libs/libssh2:= ) + tcmalloc? ( dev-util/google-perftools ) + xmlrpc? ( + libxml2? ( >=dev-libs/libxml2-2.6.26:2= ) + !libxml2? ( dev-libs/expat:0= ) )" + +DEPEND="${CDEPEND} + app-arch/xz-utils + virtual/pkgconfig + nls? ( sys-devel/gettext ) + test? ( >=dev-util/cppunit-1.12.0:0 )" +RDEPEND="${CDEPEND} + nls? ( virtual/libiconv virtual/libintl ) + scripts? ( dev-lang/ruby )" + +# xmlrpc has no explicit switch, it's turned out by any XML library +# so metalink implicitly forces it on +REQUIRED_USE="?? ( jemalloc tcmalloc ) + metalink? ( xmlrpc )" +RESTRICT="!test? ( test )" + +pkg_setup() { + if use scripts && ! use xmlrpc; then + ewarn "Please note that you may need to enable USE=xmlrpc to run the aria2rpc" + ewarn "and aria2mon scripts against the local aria2." + fi +} + +src_prepare() { + eapply "${FILESDIR}"/${P}-make_unique.patch + # https://bugs.gentoo.org/674622 (CVE-2019-3500) + eapply "${FILESDIR}"/${P}-mask-headers.patch + default + sed -i -e "s|/tmp|${T}|" test/*.cc test/*.txt || die "sed failed" +} + +src_configure() { + local myconf=( + # threads, epoll: check for best portability + + # do not try to compile and run a test LIBXML program + --disable-xmltest + # enable the shared library + --enable-libaria2 + # zlib should always be available anyway + --with-libz + --with-ca-bundle="${EPREFIX}/etc/ssl/certs/ca-certificates.crt" + + # optional features + $(use_enable bittorrent) + $(use_enable metalink) + $(use_enable nls) + $(use_with adns libcares) + $(use_with jemalloc) + $(use_with libuv) + $(use_with sqlite sqlite3) + $(use_with ssh libssh2) + $(use_with tcmalloc) + ) + + # SSL := gnutls / openssl + # USE=ssl + # + USE=gnutls -> gnutls + # + USE=-gnutls -> openssl + + if use ssl; then + myconf+=( $(use_with gnutls) $(use_with !gnutls openssl) ) + else + myconf+=( --without-gnutls --without-openssl ) + fi + + # message-digest := nettle / gcrypt / openssl + # bignum := nettle+gmp / gcrypt / openssl + # bittorrent := message-digest + bignum + # USE=bittorrent + # + USE=(ssl -gnutls) -> openssl + # + USE=nettle -> nettle+gmp + # + USE=-nettle -> gcrypt + + if use !bittorrent || use ssl && use !gnutls; then + myconf+=( --without-libgcrypt --without-libnettle --without-libgmp ) + else + myconf+=( $(use_with !nettle libgcrypt) + $(use_with nettle libnettle) $(use_with nettle libgmp) ) + fi + + # metalink+xmlrpc := libxml2 / expat + # USE=(metalink || xmlrpc) + # + USE=libxml2 -> libxml2 + # + USE=-libxml2 -> expat + + if use metalink || use xmlrpc; then + myconf+=( $(use_with !libxml2 libexpat) $(use_with libxml2) ) + else + myconf+=( --without-libexpat --without-libxml2 ) + fi + + # Note: + # - always enable gzip/http compression since zlib should always be available anyway + # - always enable epoll since we can assume kernel 2.6.x + # - other options for threads: solaris, pth, win32 + econf "${myconf[@]}" +} + +src_install() { + default + rm -rf "${D}"/usr/share/doc/aria2 \ + "${D}"/usr/share/doc/${PF}/README{,.html} + + dobashcomp doc/bash_completion/aria2c + use scripts && dobin doc/xmlrpc/aria2{mon,rpc} +} + +pkg_postinst() { + if use xmlrpc; then + elog "If you would like to use the additional aria2mon and aria2rpc tools," + elog "you need to have \033[1mdev-lang/ruby\033[0m installed." + fi +} diff --git a/net-misc/aria2/files/aria2-1.34.0-mask-headers.patch b/net-misc/aria2/files/aria2-1.34.0-mask-headers.patch new file mode 100644 index 00000000000..694681d8885 --- /dev/null +++ b/net-misc/aria2/files/aria2-1.34.0-mask-headers.patch @@ -0,0 +1,46 @@ +From 37368130ca7de5491a75fd18a20c5c5cc641824a Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa <[email protected]> +Date: Sat, 5 Jan 2019 09:32:40 +0900 +Subject: [PATCH] Mask headers + +--- + src/HttpConnection.cc | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/src/HttpConnection.cc b/src/HttpConnection.cc +index 77cb9d27a..be5b97723 100644 +--- a/src/HttpConnection.cc ++++ b/src/HttpConnection.cc +@@ -102,11 +102,17 @@ std::string HttpConnection::eraseConfidentialInfo(const std::string& request) + std::string result; + std::string line; + while (getline(istr, line)) { +- if (util::startsWith(line, "Authorization: Basic")) { +- result += "Authorization: Basic ********\n"; ++ if (util::istartsWith(line, "Authorization: ")) { ++ result += "Authorization: <snip>\n"; + } +- else if (util::startsWith(line, "Proxy-Authorization: Basic")) { +- result += "Proxy-Authorization: Basic ********\n"; ++ else if (util::istartsWith(line, "Proxy-Authorization: ")) { ++ result += "Proxy-Authorization: <snip>\n"; ++ } ++ else if (util::istartsWith(line, "Cookie: ")) { ++ result += "Cookie: <snip>\n"; ++ } ++ else if (util::istartsWith(line, "Set-Cookie: ")) { ++ result += "Set-Cookie: <snip>\n"; + } + else { + result += line; +@@ -154,8 +160,8 @@ std::unique_ptr<HttpResponse> HttpConnection::receiveResponse() + const auto& proc = outstandingHttpRequests_.front()->getHttpHeaderProcessor(); + if (proc->parse(socketRecvBuffer_->getBuffer(), + socketRecvBuffer_->getBufferLength())) { +- A2_LOG_INFO( +- fmt(MSG_RECEIVE_RESPONSE, cuid_, proc->getHeaderString().c_str())); ++ A2_LOG_INFO(fmt(MSG_RECEIVE_RESPONSE, cuid_, ++ eraseConfidentialInfo(proc->getHeaderString()).c_str())); + auto result = proc->getResult(); + if (result->getStatusCode() / 100 == 1) { + socketRecvBuffer_->drain(proc->getLastBytesProcessed());
